LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Delete Asset option
  • Uninstalling on Windows assets
  • Uninstalling on Linux assets
  • Uninstalling on macOS assets

Was this helpful?

Export as PDF
  1. AIR
  2. AIR Setup

Uninstalling AIR Responders

PreviousAIR Responder in Windows 'Safe Mode'NextSecurity

Last updated 1 month ago

Was this helpful?

There are several ways to uninstall the AIR Responder from assets and these include using the AIR console or working on the actual asset.

It is important to understand that you should only remove the Responder if you have no intention of revisiting the asset for further investigations. If you do need to do so, then a fresh responder deployment will be needed.

From the Assets button in the Main Menu it is possible to select one or multiple assets and then, via the Bulk Action Bar, choose to either 'Uninstall a Responder' or to 'Uninstall responder and purge console data'.

It is also possible to uninstall a Responder from the individual asset's, Asset Info page by selecting the option from the Asset Actions drop-down menu:

The 'Uninstall Responder' will remove the AIR Responder application from any selected assets.

The 'Uninstall Responder and purge console data' option will remove the AIR Responder application from the selected assets and delete the data saved from the assets on the console. All associated Tasks (eg; Timeline) will also be deleted from the console. Data saved to Remote Storage, and locally saved data on the asset will remain intact. interACT or normal asset management tools can be used to remove this data.

Password Protection for AIR Responder Uninstallation

When the Uninstallation Password feature is enabled in AIR's settings, a protection password is required to uninstall the AIR Responder. This feature restricts the uninstallation process to command-line operations only, as uninstallation through the local operating system's user interface (UI) is disabled.

Here are the key points regarding this feature:

  1. Command-Line Uninstallation: The AIR Responder must be uninstalled using shell commands. During this process, the protection password must be included as an argument. This can be executed either locally or through remote management tools like SCCM.

  2. Local User Restrictions: Local users must have the protection password to uninstall the Responder. Without this password, uninstallation via local user interfaces is not possible.

  3. UI and API Uninstallation: Uninstallation through the AIR UI or API does not require the protection password, allowing for more flexible management remotely.

  4. Tamper Detection: AIR monitors and logs any tampering with the Responder. This includes actions like deletion, pausing, termination, or any interference, enhancing security and accountability.

This structured approach ensures that only authorized personnel can remove the AIR Responder, providing an additional layer of security against unauthorized tampering and ensuring compliance with security policies.

Delete Asset option

The Delete Asset button is available only for Disk Image asset types. For any other asset type, this option remains grayed out. When used, it simply removes the Disk Image of the asset from the console without affecting the asset itself.

As shown above, when attempting to delete assets in the system, certain restrictions apply based on the type of assets selected. For instance, if you select both a Windows asset and a Disk Image asset simultaneously, the "Delete Asset" option becomes unavailable (greyed out). This is because the Windows Asset is classified as non-deletable.

Key Details:

  • Non-Deletable Assets: Windows assets are considered non-deletable within this system due to their critical nature or specific configuration settings that prevent deletion.

  • Tooltip Information: When the "Delete Asset" option is greyed out, a tooltip will appear indicating that a non-deletable asset (the Windows Asset) has been selected, providing clarity on why deletion is restricted.

This design ensures that critical assets are protected from accidental deletion, enhancing the security and integrity of the system's data management.

Uninstalling on Windows assets

Graphical User Interface (GUI) Method

To gracefully uninstall the Responder application from your Windows operating system, follow these steps:

  1. Navigate to the Control Panel.

  2. Access the "Add/Remove Programs" feature.

  3. Locate and select the Binalyze AIR Responder application from the list.

  4. Choose the option to uninstall.

Command Prompt Method

You can also uninstall the Responder application using the command prompt with the following methods:

Using Product Code

To uninstall via the product code, execute the following steps:

  • Identify the product code of the Responder using PowerShell:

get-wmiobject Win32_Product | Sort-Object -Property Name | Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize
  • Copy the identified product code.

  • Uninstall the Responder using msiexec:

msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}"

Using Original MSI File

If you possess the original MSI file of the Responder, you can proceed as follows:

msiexec /x "C:\Users\hio\Downloads\AIR.Agent_2.25.0_air-dev.binalyze.com_44_4ce0820f14f6461a_amd64_.msi"

In either method, you can efficiently uninstall the Responder application from your system.

Uninstalling a Password-Protected Responder

To uninstall a password-protected Responder, you can specify your uninstall password with the property UNINSTALL_PASSWORD by using the command prompt with the following command:

msiexec /x "{84662419-2FEB-48D0-AFBF-C174D871A3CA}" UNINSTALL_PASSWORD="my-password"

Uninstallation File and Directory Cleanup Process

When uninstalling the Binalyze AIR Responder program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains. All of these files are deleted by the Responder before the service is deleted.

  • Utils Directory: The utils binaries located in the Responder's installation directory are removed. If the installation directory is C:\Program Files (x86)\Binalyze\AIR\agent, folder can be found in:

    • C:\Program Files (x86)\Binalyze\AIR\agent\utils\

  • Upload Temporary Directory: The directory used for temporary storage of upload files is cleared. This can be found in one of the following paths.

    • C:\Users\[user]\AppData\Local\Temp\BinalyzeUploadTemp

    • C:\Windows\TEMP\BinalyzeUploadTemp

  • Update Temporary Directory: The directory used for temporary storage of update files is cleared. This file can be found in one of the following paths.

    • C:\Users\[user]\AppData\Local\Temp\BinalyzeUpdateTemp

    • C:\Windows\TEMP\BinalyzeUpdateTemp

  • Update Task Download Directory: The directory used for downloading MSI binaries, If the Windows system directory is C:\, the path can be found as follows.

    • C:\BinalyzeUpdateTemp

  • Binalyze Temp Directories: If the temp location is C:\Windows\TEMP\, the paths can be found as follows.

    • C:\Windows\TEMP\Binalyze

    • C:\Windows\TEMP\BinalyzeTemp

On Windows systems, the program selects the first non-empty value from the environmental variables %TMP%, %TEMP%, %USERPROFILE%, or the Windows directory for temporary storage.

Uninstalling on Linux assets

On Ubuntu and Debian

  1. Open a terminal window.

  2. To uninstall the Binalyze AIR Responder package, use the following command:

    sudo apt remove binalyze-air-agent

    This command will uninstall the package.

On CentOS, Fedora, Redhat and similar distributions (using dnf)

  1. Open a terminal window.

  2. To uninstall the Binalyze AIR Responder package, run the following command:

    sudo dnf remove binalyze-air-agent

    This command will uninstall the package.

Uninstallation File and Directory Cleanup Process

When uninstalling the Binalyze AIR Responder program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains.

  • Drone Config File: Drone config file located in the Responder’s installation directory. If the installation directory is /opt/binalyze/air/agent, the file can be found in:

    • /opt/binalyze/air/agent/DRONE.Config.yml

  • Utils Directory: The utils binaries located in the Responder's installation directory are removed before the uninstallation of the service. If the installation directory is /opt/binalyze/air/agent, the folder can be found in:

    • /opt/binalyze/air/agent/utils

  • Upload Temporary Directory: The directory used for temporary storage of upload files is cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUploadTemp

  • Update Temporary Directory: The directory used for temporary storage of update files is cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUpdateTemp

  • Update Task Download Directory: The directory used for downloading deb or rpm binaries, If the Linux temp directory is /tmp, the folder can be found as follows.

    • /tmp/BinalyzeUpdateTemp

  • Binalyze Temp Directories: If the temp location is /tmp, the folders can be found as follows.

    • /tmp/Binalyze

    • /tmp/BinalyzeTemp

  • Persistent Folder: The persistent folder can be found in:

    • /var/lib/binalyze

  • Config File: Config file is located in the Responder’s installation directory. After deleting the Responder, the configuration file is deleted. If the installation directory is /opt/binalyze/air/agent the file can be found in:

    • /opt/binalyze/air/agent/config.yml

On Linux systems, it returns $TMPDIR if non-empty, else /tmp.

Uninstalling on macOS assets

To initiate the uninstallation process for the Responder via the Terminal on macOS, execute the following command:

sudo /opt/binalyze/air/agent/air --uninstall

This command, executed within the Terminal, will seamlessly guide you through the removal of the Responder application from your macOS system.

Uninstalling a Password-Protected Responder

To uninstall a password-protected Responder, you can specify your uninstall password with the environment variable AIR_UNINSTALL_PASSWORD by using the command prompt with the following command:

AIR_UNINSTALL_PASSWORD="my-password" sudo -E /opt/binalyze/air/agent/air --uninstall

Uninstallation File and Directory Cleanup Process

When uninstalling the com.binalyze.air-agent program from a computer, certain files and directories are methodically cleaned up to ensure no residual data remains. All of these files are deleted by the Responder after the package info is deleted.

  • Utils Directory: The utils binaries located in the Responder's installation directory are removed before the uninstallation of the service. If the installation directory is /opt/binalyze/air/agent, the folder can be found in:

    • /opt/binalyze/air/agent/utils

  • Binaries: If the installation directory is /opt/binalyze/air/agent, these files are located in:

    • /opt/binalyze/air/agent/air

    • /opt/binalyze/air/agent/tactical

    • /opt/binalyze/air/agent/drone

  • Config File: This file is located in the Responder’s installation directory. If the installation directory is /opt/binalyze/air/agent, file can be found in:

    • /opt/binalyze/air/agent/config.yml

  • Drone Config File: This file is located in the Responder’s installation directory. If the installation directory is /opt/binalyze/air/agent, the file can be found in:

    • /opt/binalyze/air/agent/DRONE.Config.yml

  • Service File: This file can be found in:

    • /Library/LaunchDaemons/com.binalyze.air-agent.plist

  • Upload Temporary Directory: The directory used for temporary storage of upload files are cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUploadTemp

  • Update Temporary Directory: The directory used for the temporary storage of update files is cleared. This folder can be found as follows.

    • /var/lib/binalyze/BinalyzeUpdateTemp

  • Update Task Download Directory: The directory used for downloading pkg binaries, if the unix temp directory is /tmp, the folder can be found as follows.

    • /tmp/BinalyzeUpdateTemp

  • Binalyze Temp Directories: If the temp location is /tmp, the folders can be found as follows.

    • /tmp/Binalyze

    • /tmp/BinalyzeTemp

  • Persistent Folder: The persistent folder can be found in:

    • /var/lib/binalyze

On Unix systems, it returns $TMPDIR if non-empty, else /tmp.

Bulk Action uninstall
Individual asset uninstall
Tamper Detection Alerts amongst other 'normal' AIR activity
Identifying the product code of the Responder using Powershell